keystone.federation package

Submodules

keystone.federation.constants module

keystone.federation.controllers module

Workflow logic for the Federation service.

class keystone.federation.controllers.Auth(*args, **kw)[source]

Bases: keystone.auth.controllers.Auth

create_ecp_assertion(*args, **kwargs)[source]

Exchange a scoped token for an ECP assertion.

Parameters:auth – Dictionary that contains a token and service provider ID
Returns:ECP Assertion based on properties from the token
create_saml_assertion(*args, **kwargs)[source]

Exchange a scoped token for a SAML assertion.

Parameters:auth – Dictionary that contains a token and service provider ID
Returns:SAML Assertion based on properties from the token
federated_authentication(context, idp_id, protocol_id)[source]

Authenticate from dedicated url endpoint.

Build HTTP request body for federated authentication and inject it into the authenticate_for_token function.

federated_idp_specific_sso_auth(context, idp_id, protocol_id)[source]
federated_sso_auth(context, protocol_id)[source]
render_html_response(host, token_id)[source]

Forms an HTML Form from a template with autosubmit.

class keystone.federation.controllers.DomainV3[source]

Bases: keystone.common.controller.V3Controller

collection_name = 'domains'
list_domains_for_groups(context, *args, **kwargs)[source]

List all domains available to an authenticated user’s groups.

Parameters:context – request context
Returns:list of accessible domains
member_name = 'domain'
class keystone.federation.controllers.FederationProtocol(*args, **kwargs)[source]

Bases: keystone.federation.controllers._ControllerBase

A federation protocol representation.

See keystone.common.controller.V3Controller docstring for explanation on _public_parameters class attributes.

collection_name = 'protocols'
create_protocol(context, *args, **kwargs)[source]
delete_protocol(context, *args, **kwargs)[source]
get_protocol(context, *args, **kwargs)[source]
list_protocols(context, *args, **kwargs)[source]
member_name = 'protocol'
update_protocol(context, *args, **kwargs)[source]
classmethod wrap_member(context, ref)[source]
class keystone.federation.controllers.IdentityProvider(*args, **kwargs)[source]

Bases: keystone.federation.controllers._ControllerBase

Identity Provider representation.

collection_name = 'identity_providers'
create_identity_provider(context, *args, **kwargs)[source]
delete_identity_provider(context, *args, **kwargs)[source]
get_identity_provider(context, *args, **kwargs)[source]
list_identity_providers(context, **kwargs)[source]
member_name = 'identity_provider'
update_identity_provider(context, *args, **kwargs)[source]
classmethod wrap_member(context, ref)[source]
class keystone.federation.controllers.MappingController(*args, **kwargs)[source]

Bases: keystone.federation.controllers._ControllerBase

collection_name = 'mappings'
create_mapping(context, *args, **kwargs)[source]
delete_mapping(context, *args, **kwargs)[source]
get_mapping(context, *args, **kwargs)[source]
list_mappings(context, *args, **kwargs)[source]
member_name = 'mapping'
update_mapping(context, *args, **kwargs)[source]
class keystone.federation.controllers.ProjectAssignmentV3[source]

Bases: keystone.common.controller.V3Controller

collection_name = 'projects'
list_projects_for_groups(context, *args, **kwargs)[source]

List all projects available to an authenticated user’s groups.

Parameters:context – request context
Returns:list of accessible projects
member_name = 'project'
class keystone.federation.controllers.SAMLMetadataV3(*args, **kwargs)[source]

Bases: keystone.federation.controllers._ControllerBase

get_metadata(context)[source]
member_name = 'metadata'
class keystone.federation.controllers.ServiceProvider(*args, **kwargs)[source]

Bases: keystone.federation.controllers._ControllerBase

Service Provider representation.

collection_name = 'service_providers'
create_service_provider(context, *args, **kwargs)[source]
delete_service_provider(context, *args, **kwargs)[source]
get_service_provider(context, *args, **kwargs)[source]
list_service_providers(context, **kwargs)[source]
member_name = 'service_provider'
update_service_provider(context, *args, **kwargs)[source]

keystone.federation.core module

Main entry point into the Federation service.

class keystone.federation.core.FederationDriverBase[source]

Bases: object

create_idp(idp_id, idp)[source]

Create an identity provider.

Parameters:
  • idp_id (string) – ID of IdP object
  • idp (dict) – idp object
Returns:

idp ref
Return type:

dict
create_mapping(mapping_id, mapping)[source]

Create a mapping.

Parameters:
  • mapping_id (string) – ID of mapping object
  • mapping (dict) – mapping ref with mapping name
Returns:

mapping ref
Return type:

dict
create_protocol(idp_id, protocol_id, protocol)[source]

Add an IdP-Protocol configuration.

Parameters:
  • idp_id (string) – ID of IdP object
  • protocol_id (string) – ID of protocol object
  • protocol (dict) – protocol object
Raises keystone.exception.IdentityProviderNotFound:
 

If the IdP doesn’t exist.
Returns:

protocol ref
Return type:

dict
create_sp(sp_id, sp)[source]

Create a service provider.

Parameters:
  • sp_id (string) – id of the service provider
  • sp (dict) – service prvider object
Returns:

service provider ref
Return type:

dict
delete_idp(idp_id)[source]

Delete an identity provider.

Parameters:idp_id (string) – ID of IdP object
Raises keystone.exception.IdentityProviderNotFound:
 If the IdP doesn’t exist.
delete_mapping(mapping_id)[source]

Delete a mapping.

Parameters:mapping_id – id of mapping to delete
Returns:None
delete_protocol(idp_id, protocol_id)[source]

Delete an IdP-Protocol configuration.

Parameters:
  • idp_id (string) – ID of IdP object
  • protocol_id (string) – ID of protocol object
Raises:
delete_sp(sp_id)[source]

Delete a service provider.

Parameters:sp_id (string) – id of the service provider
Raises keystone.exception.ServiceProviderNotFound:
 If the service provider doesn’t exist.
get_enabled_service_providers()[source]

List enabled service providers for Service Catalog

Service Provider in a catalog contains three attributes: id, auth_url, sp_url, where:

  • id is a unique, user defined identifier for service provider object
  • auth_url is an authentication URL of remote Keystone
  • sp_url a URL accessible at the remote service provider where SAML assertion is transmitted.
Returns:list of dictionaries with enabled service providers
Return type:list of dicts
get_idp(idp_id)[source]

Get an identity provider by ID.

Parameters:idp_id (string) – ID of IdP object
Raises keystone.exception.IdentityProviderNotFound:
 If the IdP doesn’t exist.
Returns:idp ref
Return type:dict
get_idp_from_remote_id(remote_id)[source]

Get an identity provider by remote ID.

Parameters:remote_id – ID of remote IdP
Raises keystone.exception.IdentityProviderNotFound:
 If the IdP doesn’t exist.
Returns:idp ref
Return type:dict
get_mapping(mapping_id)[source]

Get a mapping, returns the mapping based on mapping_id.

Parameters:mapping_id – id of mapping to get
Raises keystone.exception.MappingNotFound:
 If the mapping cannot be found.
Returns:mapping ref
Return type:dict
get_mapping_from_idp_and_protocol(idp_id, protocol_id)[source]

Get mapping based on idp_id and protocol_id.

Parameters:
  • idp_id (string) – id of the identity provider
  • protocol_id (string) – id of the protocol
Raises:
Returns:

mapping ref
Return type:

dict
get_protocol(idp_id, protocol_id)[source]

Get an IdP-Protocol configuration.

Parameters:
  • idp_id (string) – ID of IdP object
  • protocol_id (string) – ID of protocol object
Raises:
Returns:

protocol ref
Return type:

dict
get_sp(sp_id)[source]

Get a service provider.

Parameters:sp_id (string) – id of the service provider
Returns:service provider ref
Return type:dict
Raises keystone.exception.ServiceProviderNotFound:
 If the service provider doesn’t exist.
list_mappings()[source]

List all mappings.

Returns:list of mapping refs
Return type:list of dicts
list_protocols(idp_id)[source]

List an IdP’s supported protocols.

Parameters:idp_id (string) – ID of IdP object
Raises keystone.exception.IdentityProviderNotFound:
 If the IdP doesn’t exist.
Returns:list of protocol ref
Return type:list of dict
update_idp(idp_id, idp)[source]

Update an identity provider by ID.

Parameters:
  • idp_id (string) – ID of IdP object
  • idp (dict) – idp object
Raises keystone.exception.IdentityProviderNotFound:
 

If the IdP doesn’t exist.
Returns:

idp ref
Return type:

dict
update_mapping(mapping_id, mapping_ref)[source]

Update a mapping.

Parameters:
  • mapping_id (string) – id of mapping to update
  • mapping_ref (dict) – new mapping ref
Returns:

mapping ref
Return type:

dict
update_protocol(idp_id, protocol_id, protocol)[source]

Change an IdP-Protocol configuration.

Parameters:
  • idp_id (string) – ID of IdP object
  • protocol_id (string) – ID of protocol object
  • protocol (dict) – protocol object
Raises:
Returns:

protocol ref
Return type:

dict
update_sp(sp_id, sp)[source]

Update a service provider.

Parameters:
  • sp_id (string) – id of the service provider
  • sp (dict) – service prvider object
Returns:

service provider ref
Return type:

dict
Raises keystone.exception.ServiceProviderNotFound:
 

If the service provider doesn’t exist.
class keystone.federation.core.FederationDriverV8[source]

Bases: keystone.federation.core.FederationDriverBase

Removed or redefined methods from V8.

Move the abstract methods of any methods removed or modified in later versions of the driver from FederationDriverBase to here. We maintain this so that legacy drivers, which will be a subclass of FederationDriverV8, can still reference them.

list_idps()[source]

List all identity providers.

Returns:list of idp refs
Return type:list of dicts
Raises keystone.exception.IdentityProviderNotFound:
 If the IdP doesn’t exist.
list_sps()[source]

List all service providers.

Returns:List of service provider ref objects
Return type:list of dicts
class keystone.federation.core.FederationDriverV9[source]

Bases: keystone.federation.core.FederationDriverBase

New or redefined methods from V8.

Add any new V9 abstract methods (or those with modified signatures) to this class.

list_idps(hints)[source]

List all identity providers.

Parameters:hints – filter hints which the driver should implement if at all possible.
Returns:list of idp refs
Return type:list of dicts
Raises keystone.exception.IdentityProviderNotFound:
 If the IdP doesn’t exist.
list_sps(hints)[source]

List all service providers.

Parameters:hints – filter hints which the driver should implement if at all possible.
Returns:List of service provider ref objects
Return type:list of dicts
Raises keystone.exception.ServiceProviderNotFound:
 If the SP doesn’t exist.
class keystone.federation.core.Manager(*args, **kwargs)[source]

Bases: keystone.common.manager.Manager

Default pivot point for the Federation backend.

See keystone.common.manager.Manager for more details on how this dynamically calls the backend.

driver_namespace = 'keystone.federation'
evaluate(*args, **kwargs)[source]
get_enabled_service_providers(*args, **kwargs)[source]

List enabled service providers for Service Catalog

Service Provider in a catalog contains three attributes: id, auth_url, sp_url, where:

  • id is a unique, user defined identifier for service provider object
  • auth_url is an authentication URL of remote Keystone
  • sp_url a URL accessible at the remote service provider where SAML assertion is transmitted.
Returns:list of dictionaries with enabled service providers
Return type:list of dicts
class keystone.federation.core.V9FederationWrapperForV8Driver(*args, **kwargs)[source]

Bases: keystone.federation.core.FederationDriverV9

Wrapper class to supported a V8 legacy driver.

In order to support legacy drivers without having to make the manager code driver-version aware, we wrap legacy drivers so that they look like the latest version. For the various changes made in a new driver, here are the actions needed in this wrapper:

Method removed from new driver - remove the call-through method from this
class, since the manager will no longer be calling it.
Method signature (or meaning) changed - wrap the old method in a new
signature here, and munge the input and output parameters accordingly.
New method added to new driver - add a method to implement the new
functionality here if possible. If that is not possible, then return NotImplemented, since we do not guarantee to support new functionality with legacy drivers.
create_idp(idp_id, idp)[source]
create_mapping(mapping_id, mapping)[source]
create_protocol(idp_id, protocol_id, protocol)[source]
create_sp(sp_id, sp)[source]
delete_idp(idp_id)[source]
delete_mapping(mapping_id)[source]
delete_protocol(idp_id, protocol_id)[source]
delete_sp(sp_id)[source]
get_enabled_service_providers()[source]
get_idp(idp_id)[source]
get_idp_from_remote_id(remote_id)[source]
get_mapping(mapping_id)[source]
get_mapping_from_idp_and_protocol(idp_id, protocol_id)[source]
get_protocol(idp_id, protocol_id)[source]
get_sp(sp_id)[source]
list_idps(hints)[source]
list_mappings()[source]
list_protocols(idp_id)[source]
list_sps(hints)[source]
update_idp(idp_id, idp)[source]
update_mapping(mapping_id, mapping_ref)[source]
update_protocol(idp_id, protocol_id, protocol)[source]
update_sp(sp_id, sp)[source]

keystone.federation.idp module

class keystone.federation.idp.ECPGenerator[source]

Bases: object

A class for generating an ECP assertion.

static generate_ecp(saml_assertion, relay_state_prefix)[source]
class keystone.federation.idp.MetadataGenerator[source]

Bases: object

A class for generating SAML IdP Metadata.

generate_metadata()[source]

Generate Identity Provider Metadata.

Generate and format metadata into XML that can be exposed and consumed by a federated Service Provider.

Returns:XML <EntityDescriptor> object.
Raises keystone.exception.ValidationError:
 If the required config options aren’t set.
class keystone.federation.idp.SAMLGenerator[source]

Bases: object

A class to generate SAML assertions.

samlize_token(issuer, recipient, user, user_domain_name, roles, project, project_domain_name, expires_in=None)[source]

Convert Keystone attributes to a SAML assertion.

Parameters:
  • issuer (string) – URL of the issuing party
  • recipient (string) – URL of the recipient
  • user (string) – User name
  • user_domain_name (string) – User Domain name
  • roles (list) – List of role names
  • project (string) – Project name
  • project_domain_name (string) – Project Domain name
  • expires_in (int) – Sets how long the assertion is valid for, in seconds
Returns:

XML <Response> object

keystone.federation.routers module

class keystone.federation.routers.Routers[source]

Bases: keystone.common.wsgi.RoutersBase

API Endpoints for the Federation extension.

The API looks like:

PUT /OS-FEDERATION/identity_providers/{idp_id}
GET /OS-FEDERATION/identity_providers
GET /OS-FEDERATION/identity_providers/{idp_id}
DELETE /OS-FEDERATION/identity_providers/{idp_id}
PATCH /OS-FEDERATION/identity_providers/{idp_id}

PUT /OS-FEDERATION/identity_providers/
    {idp_id}/protocols/{protocol_id}
GET /OS-FEDERATION/identity_providers/
    {idp_id}/protocols
GET /OS-FEDERATION/identity_providers/
    {idp_id}/protocols/{protocol_id}
PATCH /OS-FEDERATION/identity_providers/
    {idp_id}/protocols/{protocol_id}
DELETE /OS-FEDERATION/identity_providers/
    {idp_id}/protocols/{protocol_id}

PUT /OS-FEDERATION/mappings
GET /OS-FEDERATION/mappings
PATCH /OS-FEDERATION/mappings/{mapping_id}
GET /OS-FEDERATION/mappings/{mapping_id}
DELETE /OS-FEDERATION/mappings/{mapping_id}

GET /OS-FEDERATION/projects
GET /OS-FEDERATION/domains

PUT /OS-FEDERATION/service_providers/{sp_id}
GET /OS-FEDERATION/service_providers
GET /OS-FEDERATION/service_providers/{sp_id}
DELETE /OS-FEDERATION/service_providers/{sp_id}
PATCH /OS-FEDERATION/service_providers/{sp_id}

GET /OS-FEDERATION/identity_providers/{idp_id}/
    protocols/{protocol_id}/auth
POST /OS-FEDERATION/identity_providers/{idp_id}/
    protocols/{protocol_id}/auth
GET /auth/OS-FEDERATION/identity_providers/
    {idp_id}/protocols/{protocol_id}/websso
    ?origin=https%3A//horizon.example.com
POST /auth/OS-FEDERATION/identity_providers/
    {idp_id}/protocols/{protocol_id}/websso
    ?origin=https%3A//horizon.example.com


POST /auth/OS-FEDERATION/saml2
POST /auth/OS-FEDERATION/saml2/ecp
GET /OS-FEDERATION/saml2/metadata

GET /auth/OS-FEDERATION/websso/{protocol_id}
    ?origin=https%3A//horizon.example.com

POST /auth/OS-FEDERATION/websso/{protocol_id}
     ?origin=https%3A//horizon.example.com
append_v3_routers(mapper, routers)[source]

keystone.federation.schema module

keystone.federation.utils module

Utilities for Federation Extension.

class keystone.federation.utils.DirectMaps[source]

Bases: object

An abstraction around the remote matches.

Each match is treated internally as a list.

add(values)[source]

Adds a matched value to the list of matches.

Parameters:value (list) – the match to save
class keystone.federation.utils.RuleProcessor(mapping_id, rules)[source]

Bases: object

A class to process assertions and mapping rules.

process(assertion_data)[source]

Transform assertion to a dictionary.

The dictionary contains mapping of user name and group ids based on mapping rules.

This function will iterate through the mapping rules to find assertions that are valid.

Parameters:assertion_data (dict) – an assertion containing values from an IdP

Example assertion_data:

{
    'Email': 'testacct@example.com',
    'UserName': 'testacct',
    'FirstName': 'Test',
    'LastName': 'Account',
    'orgPersonType': 'Tester'
}
Returns:dictionary with user and group_ids

The expected return structure is:

{
    'name': 'foobar',
    'group_ids': ['abc123', 'def456'],
    'group_names': [
        {
            'name': 'group_name_1',
            'domain': {
                'name': 'domain1'
            }
        },
        {
            'name': 'group_name_1_1',
            'domain': {
                'name': 'domain1'
            }
        },
        {
            'name': 'group_name_2',
            'domain': {
                'id': 'xyz132'
            }
        }
    ]
}
class keystone.federation.utils.UserType[source]

Bases: object

User mapping type.

EPHEMERAL = 'ephemeral'
LOCAL = 'local'
keystone.federation.utils.assert_enabled_identity_provider(federation_api, idp_id)[source]
keystone.federation.utils.assert_enabled_service_provider_object(service_provider)[source]
keystone.federation.utils.get_assertion_params_from_env(context)[source]
keystone.federation.utils.get_remote_id_parameter(protocol)[source]
keystone.federation.utils.transform_to_group_ids(group_names, mapping_id, identity_api, resource_api)[source]

Transform groups identified by name/domain to their ids

Function accepts list of groups identified by a name and domain giving a list of group ids in return.

Example of group_names parameter:

[
    {
        "name": "group_name",
        "domain": {
            "id": "domain_id"
        },
    },
    {
        "name": "group_name_2",
        "domain": {
            "name": "domain_name"
        }
    }
]
Parameters:
  • group_names (list) – list of group identified by name and its domain.
  • mapping_id (str) – id of the mapping used for mapping assertion into local credentials
  • identity_api – identity_api object
  • resource_api – resource manager object
Returns:

generator object with group ids
Raises keystone.exception.MappedGroupNotFound:
 

in case asked group doesn’t exist in the backend.
keystone.federation.utils.validate_expiration(token_ref)[source]
keystone.federation.utils.validate_groups(group_ids, mapping_id, identity_api)[source]

Check group ids cardinality and check their existence in the backend.

This call is not transactional. :param group_ids: IDs of the groups to be checked :type group_ids: list of str

Parameters:
  • mapping_id (str) – id of the mapping used for this operation
  • identity_api (identity.Manager) – Identity Manager object used for communication with backend
Raises:
keystone.federation.utils.validate_groups_cardinality(group_ids, mapping_id)[source]

Check if groups list is non-empty.

Parameters:group_ids (list of str) – list of group ids
Raises keystone.exception.MissingGroups:
 if group_ids cardinality is 0
keystone.federation.utils.validate_groups_in_backend(group_ids, mapping_id, identity_api)[source]

Iterate over group ids and make sure they are present in the backend.

This call is not transactional. :param group_ids: IDs of the groups to be checked :type group_ids: list of str

Parameters:
  • mapping_id (str) – id of the mapping used for this operation
  • identity_api (identity.Manager) – Identity Manager object used for communication with backend
Raises keystone.exception.MappedGroupNotFound:
 

If the group returned by mapping was not found in the backend.
keystone.federation.utils.validate_idp(idp, protocol, assertion)[source]

The IdP providing the assertion should be registered for the mapping.

keystone.federation.utils.validate_mapping_structure(ref)[source]

Module contents

Table Of Contents

Previous topic

keystone.endpoint_policy.backends package

Next topic

keystone.federation.V8_backends package

Project Source

This Page

Navigation

© Copyright 2012, OpenStack, LLC. Last updated on 'Wed Feb 1 18:44:36 2017, commit 27793e6'. Created using Sphinx 1.2.3.